[OpenAFS-devel] Re: OpenSSH, OpenAFS, Heimdal Kerberos and MIT
Kerberos
Jeffrey Hutzelman
jhutz@cmu.edu
Mon, 26 Jan 2004 17:51:07 -0500
On Monday, January 26, 2004 17:17:46 -0500 Dean Anderson <dean@av8.com>
wrote:
> On Mon, 26 Jan 2004, Jeffrey Hutzelman wrote:
>
>> Worse, it would not solve the problem. The trouble here is not that AFS
>> tokens are stored in a kernel data structure instead of a file. It's
>> that they are indexed by a value which must be set on login, inherited
>> from each process by its children, and must not be changeable by the
>> user (to prevent token stealing). OpenSSH loses not because you need
>> special code to set tokens, and not even because you need special code
>> to generate a new PAG -- those things can be done by a PAM module.
>> OpenSSH loses because the PAM session module gets called outside the
>> inheritance chain of the user's shell, which means it can't set a PAG
>> or anything else that is inherited across a fork (e.g. groups,
>> environment variables, resource limits, etc etc etc).
>
> Right. And there is an easy solution: Turn off Privsep.
Sadly, this doesn't make any difference. OpenSSH 3.7.1 and later run PAM
session modules in a subprocess unrelated to the eventual user shell,
regardless of whether privsep is enabled. AFAIK, in earlier versions, it
works fine even with privsep, because while such things may be run in a
subprocess, they are run in a subprocess that ends up being an ancestor of
the user shell.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA